Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a3a49d9c4e62e738941471f03e9adad6b4e63a26b32d940dd5c0dd95ffaddbcd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a3a49d9c4e62e738941471f03e9adad6b4e63a26b32d940dd5c0dd95ffaddbcd.exe
-
Size
454KB
-
MD5
1472acf169ed83db510b24fa6cfaa28b
-
SHA1
e9f4ea9cccce6c1b88c5fd1d00f4a7f45442c11c
-
SHA256
a3a49d9c4e62e738941471f03e9adad6b4e63a26b32d940dd5c0dd95ffaddbcd
-
SHA512
5d786ae551dfc57c612d4a91e586693c78d193b68da42cf03578a0cde794c2069be94452182e1645581ce3614d807b00197909f91543d54bfdda7173e28e4eee
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3728-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-922-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-1073-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-1451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1084 ffxrlxl.exe 900 2064282.exe 1752 e08204.exe 2528 nbnbnn.exe 2188 ppddv.exe 2400 xflxrlx.exe 3280 xrxlxrl.exe 2600 22264.exe 3232 xrrfxff.exe 4060 608440.exe 3732 226082.exe 4864 pppdv.exe 4968 660044.exe 4076 086628.exe 1416 6000826.exe 1040 6826660.exe 2348 64008.exe 5076 bhhbth.exe 740 s4428.exe 3876 hbthbn.exe 1264 482486.exe 1312 022682.exe 4136 jpvjd.exe 4648 46200.exe 3600 nbthnb.exe 2036 6066082.exe 468 hhtnbn.exe 1572 64088.exe 2776 00444.exe 3376 rlrflxl.exe 2804 a6608.exe 3416 htnhtn.exe 2564 nbhbnn.exe 1100 48448.exe 4040 c420024.exe 2948 fxxfxxx.exe 1308 hbttnn.exe 1376 5flfxxl.exe 4768 0804040.exe 2200 s6860.exe 3912 84488.exe 668 k68000.exe 1956 w06266.exe 3868 6848266.exe 4408 9fxrflf.exe 3728 6002660.exe 4140 fxxxrrf.exe 4316 e44480.exe 2656 6888226.exe 3220 k88484.exe 2412 xlrlllf.exe 2428 5rrlfxx.exe 4688 llrrllf.exe 2276 4226682.exe 3692 i466060.exe 656 622600.exe 1684 g8262.exe 4832 jvvvd.exe 2340 rlrlxfl.exe 3252 7frlllf.exe 3732 84448.exe 4864 3hnbtb.exe 4340 q84828.exe 2532 flrlflf.exe -
resource yara_rule behavioral2/memory/3728-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-922-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-1266-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e68266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q26026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w62266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6280246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8800026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2060266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c006004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 1084 3728 a3a49d9c4e62e738941471f03e9adad6b4e63a26b32d940dd5c0dd95ffaddbcd.exe 85 PID 3728 wrote to memory of 1084 3728 a3a49d9c4e62e738941471f03e9adad6b4e63a26b32d940dd5c0dd95ffaddbcd.exe 85 PID 3728 wrote to memory of 1084 3728 a3a49d9c4e62e738941471f03e9adad6b4e63a26b32d940dd5c0dd95ffaddbcd.exe 85 PID 1084 wrote to memory of 900 1084 ffxrlxl.exe 86 PID 1084 wrote to memory of 900 1084 ffxrlxl.exe 86 PID 1084 wrote to memory of 900 1084 ffxrlxl.exe 86 PID 900 wrote to memory of 1752 900 2064282.exe 87 PID 900 wrote to memory of 1752 900 2064282.exe 87 PID 900 wrote to memory of 1752 900 2064282.exe 87 PID 1752 wrote to memory of 2528 1752 e08204.exe 88 PID 1752 wrote to memory of 2528 1752 e08204.exe 88 PID 1752 wrote to memory of 2528 1752 e08204.exe 88 PID 2528 wrote to memory of 2188 2528 nbnbnn.exe 89 PID 2528 wrote to memory of 2188 2528 nbnbnn.exe 89 PID 2528 wrote to memory of 2188 2528 nbnbnn.exe 89 PID 2188 wrote to memory of 2400 2188 ppddv.exe 90 PID 2188 wrote to memory of 2400 2188 ppddv.exe 90 PID 2188 wrote to memory of 2400 2188 ppddv.exe 90 PID 2400 wrote to memory of 3280 2400 xflxrlx.exe 91 PID 2400 wrote to memory of 3280 2400 xflxrlx.exe 91 PID 2400 wrote to memory of 3280 2400 xflxrlx.exe 91 PID 3280 wrote to memory of 2600 3280 xrxlxrl.exe 92 PID 3280 wrote to memory of 2600 3280 xrxlxrl.exe 92 PID 3280 wrote to memory of 2600 3280 xrxlxrl.exe 92 PID 2600 wrote to memory of 3232 2600 22264.exe 93 PID 2600 wrote to memory of 3232 2600 22264.exe 93 PID 2600 wrote to memory of 3232 2600 22264.exe 93 PID 3232 wrote to memory of 4060 3232 xrrfxff.exe 94 PID 3232 wrote to memory of 4060 3232 xrrfxff.exe 94 PID 3232 wrote to memory of 4060 3232 xrrfxff.exe 94 PID 4060 wrote to memory of 3732 4060 608440.exe 95 PID 4060 wrote to memory of 3732 4060 608440.exe 95 PID 4060 wrote to memory of 3732 4060 608440.exe 95 PID 3732 wrote to memory of 4864 3732 226082.exe 96 PID 3732 wrote to memory of 4864 3732 226082.exe 96 PID 3732 wrote to memory of 4864 3732 226082.exe 96 PID 4864 wrote to memory of 4968 4864 pppdv.exe 97 PID 4864 wrote to memory of 4968 4864 pppdv.exe 97 PID 4864 wrote to memory of 4968 4864 pppdv.exe 97 PID 4968 wrote to memory of 4076 4968 660044.exe 98 PID 4968 wrote to memory of 4076 4968 660044.exe 98 PID 4968 wrote to memory of 4076 4968 660044.exe 98 PID 4076 wrote to memory of 1416 4076 086628.exe 99 PID 4076 wrote to memory of 1416 4076 086628.exe 99 PID 4076 wrote to memory of 1416 4076 086628.exe 99 PID 1416 wrote to memory of 1040 1416 6000826.exe 100 PID 1416 wrote to memory of 1040 1416 6000826.exe 100 PID 1416 wrote to memory of 1040 1416 6000826.exe 100 PID 1040 wrote to memory of 2348 1040 6826660.exe 101 PID 1040 wrote to memory of 2348 1040 6826660.exe 101 PID 1040 wrote to memory of 2348 1040 6826660.exe 101 PID 2348 wrote to memory of 5076 2348 64008.exe 102 PID 2348 wrote to memory of 5076 2348 64008.exe 102 PID 2348 wrote to memory of 5076 2348 64008.exe 102 PID 5076 wrote to memory of 740 5076 bhhbth.exe 103 PID 5076 wrote to memory of 740 5076 bhhbth.exe 103 PID 5076 wrote to memory of 740 5076 bhhbth.exe 103 PID 740 wrote to memory of 3876 740 s4428.exe 104 PID 740 wrote to memory of 3876 740 s4428.exe 104 PID 740 wrote to memory of 3876 740 s4428.exe 104 PID 3876 wrote to memory of 1264 3876 hbthbn.exe 105 PID 3876 wrote to memory of 1264 3876 hbthbn.exe 105 PID 3876 wrote to memory of 1264 3876 hbthbn.exe 105 PID 1264 wrote to memory of 1312 1264 482486.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3a49d9c4e62e738941471f03e9adad6b4e63a26b32d940dd5c0dd95ffaddbcd.exe"C:\Users\Admin\AppData\Local\Temp\a3a49d9c4e62e738941471f03e9adad6b4e63a26b32d940dd5c0dd95ffaddbcd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\ffxrlxl.exec:\ffxrlxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\2064282.exec:\2064282.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\e08204.exec:\e08204.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\nbnbnn.exec:\nbnbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\ppddv.exec:\ppddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\xflxrlx.exec:\xflxrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\xrxlxrl.exec:\xrxlxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\22264.exec:\22264.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\xrrfxff.exec:\xrrfxff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\608440.exec:\608440.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\226082.exec:\226082.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\pppdv.exec:\pppdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\660044.exec:\660044.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\086628.exec:\086628.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\6000826.exec:\6000826.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\6826660.exec:\6826660.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\64008.exec:\64008.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\bhhbth.exec:\bhhbth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\s4428.exec:\s4428.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\hbthbn.exec:\hbthbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\482486.exec:\482486.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\022682.exec:\022682.exe23⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jpvjd.exec:\jpvjd.exe24⤵
- Executes dropped EXE
PID:4136 -
\??\c:\46200.exec:\46200.exe25⤵
- Executes dropped EXE
PID:4648 -
\??\c:\nbthnb.exec:\nbthnb.exe26⤵
- Executes dropped EXE
PID:3600 -
\??\c:\6066082.exec:\6066082.exe27⤵
- Executes dropped EXE
PID:2036 -
\??\c:\hhtnbn.exec:\hhtnbn.exe28⤵
- Executes dropped EXE
PID:468 -
\??\c:\64088.exec:\64088.exe29⤵
- Executes dropped EXE
PID:1572 -
\??\c:\00444.exec:\00444.exe30⤵
- Executes dropped EXE
PID:2776 -
\??\c:\rlrflxl.exec:\rlrflxl.exe31⤵
- Executes dropped EXE
PID:3376 -
\??\c:\a6608.exec:\a6608.exe32⤵
- Executes dropped EXE
PID:2804 -
\??\c:\htnhtn.exec:\htnhtn.exe33⤵
- Executes dropped EXE
PID:3416 -
\??\c:\nbhbnn.exec:\nbhbnn.exe34⤵
- Executes dropped EXE
PID:2564 -
\??\c:\48448.exec:\48448.exe35⤵
- Executes dropped EXE
PID:1100 -
\??\c:\c420024.exec:\c420024.exe36⤵
- Executes dropped EXE
PID:4040 -
\??\c:\fxxfxxx.exec:\fxxfxxx.exe37⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hbttnn.exec:\hbttnn.exe38⤵
- Executes dropped EXE
PID:1308 -
\??\c:\5flfxxl.exec:\5flfxxl.exe39⤵
- Executes dropped EXE
PID:1376 -
\??\c:\0804040.exec:\0804040.exe40⤵
- Executes dropped EXE
PID:4768 -
\??\c:\s6860.exec:\s6860.exe41⤵
- Executes dropped EXE
PID:2200 -
\??\c:\84488.exec:\84488.exe42⤵
- Executes dropped EXE
PID:3912 -
\??\c:\k68000.exec:\k68000.exe43⤵
- Executes dropped EXE
PID:668 -
\??\c:\w06266.exec:\w06266.exe44⤵
- Executes dropped EXE
PID:1956 -
\??\c:\6848266.exec:\6848266.exe45⤵
- Executes dropped EXE
PID:3868 -
\??\c:\9fxrflf.exec:\9fxrflf.exe46⤵
- Executes dropped EXE
PID:4408 -
\??\c:\6002660.exec:\6002660.exe47⤵
- Executes dropped EXE
PID:3728 -
\??\c:\fxxxrrf.exec:\fxxxrrf.exe48⤵
- Executes dropped EXE
PID:4140 -
\??\c:\e44480.exec:\e44480.exe49⤵
- Executes dropped EXE
PID:4316 -
\??\c:\6888226.exec:\6888226.exe50⤵
- Executes dropped EXE
PID:2656 -
\??\c:\k88484.exec:\k88484.exe51⤵
- Executes dropped EXE
PID:3220 -
\??\c:\xlrlllf.exec:\xlrlllf.exe52⤵
- Executes dropped EXE
PID:2412 -
\??\c:\5rrlfxx.exec:\5rrlfxx.exe53⤵
- Executes dropped EXE
PID:2428 -
\??\c:\llrrllf.exec:\llrrllf.exe54⤵
- Executes dropped EXE
PID:4688 -
\??\c:\4226682.exec:\4226682.exe55⤵
- Executes dropped EXE
PID:2276 -
\??\c:\i466060.exec:\i466060.exe56⤵
- Executes dropped EXE
PID:3692 -
\??\c:\622600.exec:\622600.exe57⤵
- Executes dropped EXE
PID:656 -
\??\c:\g8262.exec:\g8262.exe58⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jvvvd.exec:\jvvvd.exe59⤵
- Executes dropped EXE
PID:4832 -
\??\c:\rlrlxfl.exec:\rlrlxfl.exe60⤵
- Executes dropped EXE
PID:2340 -
\??\c:\7frlllf.exec:\7frlllf.exe61⤵
- Executes dropped EXE
PID:3252 -
\??\c:\84448.exec:\84448.exe62⤵
- Executes dropped EXE
PID:3732 -
\??\c:\3hnbtb.exec:\3hnbtb.exe63⤵
- Executes dropped EXE
PID:4864 -
\??\c:\q84828.exec:\q84828.exe64⤵
- Executes dropped EXE
PID:4340 -
\??\c:\flrlflf.exec:\flrlflf.exe65⤵
- Executes dropped EXE
PID:2532 -
\??\c:\60660.exec:\60660.exe66⤵PID:3292
-
\??\c:\jdddv.exec:\jdddv.exe67⤵PID:3928
-
\??\c:\800826.exec:\800826.exe68⤵PID:1220
-
\??\c:\jdjdv.exec:\jdjdv.exe69⤵PID:2376
-
\??\c:\pdddv.exec:\pdddv.exe70⤵PID:2704
-
\??\c:\hnbthh.exec:\hnbthh.exe71⤵PID:3988
-
\??\c:\8404488.exec:\8404488.exe72⤵PID:2880
-
\??\c:\m0648.exec:\m0648.exe73⤵PID:740
-
\??\c:\2460444.exec:\2460444.exe74⤵PID:1188
-
\??\c:\bbtthh.exec:\bbtthh.exe75⤵PID:1852
-
\??\c:\628226.exec:\628226.exe76⤵PID:3092
-
\??\c:\8262282.exec:\8262282.exe77⤵PID:3360
-
\??\c:\222260.exec:\222260.exe78⤵PID:4128
-
\??\c:\fllxrlf.exec:\fllxrlf.exe79⤵PID:2108
-
\??\c:\c248882.exec:\c248882.exe80⤵PID:4588
-
\??\c:\9vpjd.exec:\9vpjd.exe81⤵PID:4572
-
\??\c:\rxxrfrr.exec:\rxxrfrr.exe82⤵PID:1592
-
\??\c:\nhhhbt.exec:\nhhhbt.exe83⤵PID:2112
-
\??\c:\06660.exec:\06660.exe84⤵PID:700
-
\??\c:\868880.exec:\868880.exe85⤵PID:2296
-
\??\c:\208226.exec:\208226.exe86⤵PID:3476
-
\??\c:\466000.exec:\466000.exe87⤵PID:4164
-
\??\c:\pdjdj.exec:\pdjdj.exe88⤵PID:2244
-
\??\c:\08880.exec:\08880.exe89⤵PID:1804
-
\??\c:\8404068.exec:\8404068.exe90⤵PID:3788
-
\??\c:\60662.exec:\60662.exe91⤵PID:3012
-
\??\c:\jddjj.exec:\jddjj.exe92⤵PID:1704
-
\??\c:\nbhtnb.exec:\nbhtnb.exe93⤵PID:3500
-
\??\c:\dpvvp.exec:\dpvvp.exe94⤵PID:1596
-
\??\c:\066044.exec:\066044.exe95⤵PID:3068
-
\??\c:\262644.exec:\262644.exe96⤵PID:1308
-
\??\c:\4626448.exec:\4626448.exe97⤵PID:1376
-
\??\c:\7ththt.exec:\7ththt.exe98⤵PID:4768
-
\??\c:\06882.exec:\06882.exe99⤵PID:2496
-
\??\c:\7djdv.exec:\7djdv.exe100⤵PID:4908
-
\??\c:\pvdvj.exec:\pvdvj.exe101⤵
- System Location Discovery: System Language Discovery
PID:4592 -
\??\c:\8800026.exec:\8800026.exe102⤵
- System Location Discovery: System Language Discovery
PID:2292 -
\??\c:\i404444.exec:\i404444.exe103⤵PID:1560
-
\??\c:\ddvjv.exec:\ddvjv.exe104⤵PID:1400
-
\??\c:\04400.exec:\04400.exe105⤵PID:2696
-
\??\c:\46666.exec:\46666.exe106⤵PID:2164
-
\??\c:\hbbttt.exec:\hbbttt.exe107⤵PID:3340
-
\??\c:\6402666.exec:\6402666.exe108⤵PID:3276
-
\??\c:\644824.exec:\644824.exe109⤵PID:1752
-
\??\c:\260482.exec:\260482.exe110⤵PID:1056
-
\??\c:\466048.exec:\466048.exe111⤵PID:1960
-
\??\c:\1lfxlfx.exec:\1lfxlfx.exe112⤵PID:976
-
\??\c:\2226004.exec:\2226004.exe113⤵PID:4888
-
\??\c:\606666.exec:\606666.exe114⤵PID:4480
-
\??\c:\ffrllfr.exec:\ffrllfr.exe115⤵PID:3516
-
\??\c:\tnhhtt.exec:\tnhhtt.exe116⤵PID:3388
-
\??\c:\206844.exec:\206844.exe117⤵PID:2560
-
\??\c:\2604484.exec:\2604484.exe118⤵PID:836
-
\??\c:\jdddv.exec:\jdddv.exe119⤵PID:1568
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe120⤵PID:3564
-
\??\c:\6044804.exec:\6044804.exe121⤵PID:428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-